Hackers Using ClickFix Social Eng Tactics to Deploy Malware


Cybersecurity researchers at McAfee Labs have uncovered a sophisticated new method of malware delivery, dubbed the “ClickFix” infection chain.

This novel attack strategy leverages advanced social engineering techniques to manipulate unsuspecting users into executing malicious scripts, leading to severe security breaches.

This article delves into the intricacies of the ClickFix method, its implications, and the steps users can take to protect themselves.

Prevalence for the last three months

The ClickFix Infection Chain

The ClickFix infection chain begins with users being lured to visit seemingly legitimate but compromised websites.

These websites are meticulously crafted to appear genuine, significantly increasing the likelihood of user compliance. Upon visiting these sites, victims are redirected to domains hosting fake popup windows.

These popups instruct users to paste a script into a PowerShell terminal, a command-line shell used for task automation and configuration management.

Are you from SOC/DFIR Teams? - Sign up for a free ANY.RUN account! to Analyse Advanced Malware Files

Once the script is pasted and executed in the PowerShell terminal, the malware can infiltrate the victim’s system. This can lead to data theft, system compromise, or further propagation of the malware.

The sophistication of this method lies in its ability to exploit the trust users place in seemingly authentic websites and prompts.

Malware Families Leveraging ClickFix

Two notable malware families, Lumma Stealer and DarkGate, have been observed leveraging the ClickFix technique.

Lumma Stealer is known for its ability to extract sensitive information, including passwords, credit card details, and other personal data, from infected systems.

DarkGate, on the other hand, is a more advanced threat that steals sensitive information, provides remote access, and establishes persistent backdoors in compromised systems.

DarkGate employs advanced evasion tactics, making it difficult to detect and remove. It can spread within networks, posing a significant cybersecurity threat.

Combining these malware families with the ClickFix technique represents a formidable challenge for cybersecurity professionals.

The Role of Phishing Emails

McAfee Labs obtained a phishing email from their spamtrap containing an HTML attachment masquerading as a Word document. Phishing emails play a crucial role in the ClickFix infection chain.

The HTML file displayed an error prompt designed to deceive users into taking actions that could lead to the download and execution of malicious software.

Email with Attachment

The phishing email tactic is particularly effective because it exploits the user’s familiarity with common file types and error messages.

By presenting a seemingly legitimate problem and offering a solution, the attackers increase the likelihood that users will follow the instructions and inadvertently execute the malicious script.

Technical Analysis

Upon examining the code within the HTML attachment, researchers discovered several base64-encoded content blocks. These blocks contained the malicious script users were instructed to paste into their PowerShell terminal.

The script, once executed, initiates the malware download and installation process.

Displays extension problem issue
Displays extension problem issue

This method of encoding and disguising the malicious script is a testament to the attackers’ sophistication. By hiding the true nature of the script within encoded blocks, they make it more challenging for automated security systems to detect and block the threat.

HTML contains Base64-encoded content in the title tag
After decoding the code
After decoding the code

Protecting Against ClickFix

To protect against the ClickFix infection chain and similar threats, users should follow these best practices:

  1. Be Cautious with Emails and Attachments: Always verify the sender’s identity before opening any email attachments, especially if they are unexpected or from unknown sources.
  2. Avoid Pasting Scripts: Never paste scripts or commands from untrusted sources into your terminal or command prompt.
  3. Use Security Software: Ensure your security software is up-to-date and capable of detecting and blocking advanced threats.
  4. Educate Yourself and Others: Stay informed about the latest cybersecurity threats and educate others about the risks and best practices for staying safe online.

The discovery of the ClickFix infection chain highlights the ever-evolving nature of cyber threats and the importance of vigilance in the digital age.

By understanding the tactics used by attackers and taking proactive measures to protect themselves, users can reduce the risk of falling victim to these sophisticated social engineering schemes.

As cybersecurity threats continue to grow in complexity, staying informed and cautious is more critical than ever.

Indicators of Compromise (IoCs)

File SHA256
DarkGate
Email c5545d28faee14ed94d650bda28124743e2d7dacdefc8bf4ec5fc76f61756df3
Html 0db16db812cb9a43d5946911501ee8c0f1e3249fb6a5e45ae11cef0dddbe4889
HTA 5c204217d48f2565990dfdf2269c26113bd14c204484d8f466fb873312da80cf
PS e9ad648589aa3e15ce61c6a3be4fc98429581be738792ed17a713b4980c9a4a2
ZIP 8c382d51459b91b7f74b23fbad7dd2e8c818961561603c8f6614edc9bb1637d1
AutoIT script 7d8a4aa184eb350f4be8706afb0d7527fca40c4667ab0491217b9e1e9d0f9c81
Lumma Stealer
URL tuchinehd[.]com
PS 07594ba29d456e140a171cba12d8d9a2db8405755b81da063a425b1a8b50d073
ZIP 6608aeae3695b739311a47c63358d0f9dbe5710bd0073042629f8d9c1df905a8
EXE e60d911f2ef120ed782449f1136c23ddf0c1c81f7479c5ce31ed6dcea6f6adf9

"Is Your System Under Attack? Try Cynet XDR: Automated Detection & Response for Endpoints, Networks, & Users!"- Free Demo



Source link